This Quick Start was built by AWS solutions architects and compliance experts in collaboration with Accenture, an AWS Premier Consulting Partner.

The Quick Start is part of a set of AWS compliance solutions. For additional AWS Quick Starts, see the complete catalog.

This Quick Start deploys and configures a standardized architecture for the Center for Internet Security (CIS) AWS Foundations Benchmark.

CIS Benchmarks are consensus-based configuration guidelines developed by experts in US government, business, industry, and academia to help organizations assess and improve security.

This Quick Start implements the CIS AWS Foundations Benchmark, which is a set of security configuration best practices for hardening AWS accounts, and provides continuous monitoring capabilities for these security configurations.

The Quick Start supports the benchmark by creating AWS Config rules, Amazon CloudWatch alarms, and CloudWatch Events rules in your AWS account. The deployment is automated by customizable AWS CloudFormation templates and scripts that build and configure the environment in about 10 minutes. The Quick Start also includes a security controls matrix (Microsoft Excel spreadsheet), which shows how the Quick Start components and configuration map to CIS controls.

What you'll build

The Quick Start sets up the following:

AWS Config rules – Some of the CIS Benchmark controls are implemented as custom AWS Config rules, which are backed by an AWS Lambda function, and AWS managed rules. To review these controls and their implementations, see the security controls matrix.

CloudWatch alarms – Continuous monitoring for some of the CIS controls is implemented using a combination of CloudWatch alarms and custom log metric filters. To review these controls and their implementations, see the security controls matrix.

CloudWatch Events – Continuous monitoring for some of the CIS controls is implemented using CloudWatch Events rules. To review these controls and their implementations, see the security controls matrix.

Lambda functions – All custom AWS Config and CloudWatch Events rules are backed by Lambda functions that implement the relevant CIS security control, and either report compliance status or notify the end user of a security configuration change.

AWS CloudTrail – The CloudWatch Events rules and alarms depend on CloudTrail for change tracking and reporting continuous compliance. The Quick Start provides an option for configuring CloudTrail. The Quick Start also includes a pre-condition check to verify if CloudTrail is configured in your AWS account before it implements the security configurations for all the CIS controls.

AWS Config – Both the custom AWS Config rules and AWS managed rules depend on the AWS Config service to be configured. The Quick Start provides an option for configuring AWS Config. The Quick Start also includes a pre-condition check to verify if AWS Config is configured in your AWS account before it implements the security configurations for all the CIS controls.

Cost and licenses

You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change.